Wire to Replace Signal as Standard in the Bundestag
45 points
2 hours ago
| 10 comments
| heise.de
| HN
arianvanp
1 hour ago
[-]
Working on the foundation of this (getting Wire deployed at and certified by the BSI) was my first job out of college 7 years ago and how I ended up in Berlin. And once you end up in Berlin you can never leave, it seems.

I was actually on site at the Bundeskanzleramt and they had requirements of being able to install the entire server stack airgapped. We ended up building quite a cool delivery method based on Nix to ship the whole closure of the system and the containers inside and spin up a Kubernetes cluster with it. I'm wondering if it is still being used.

Amazing to see it's still going strong :)

reply
raihansaputra
56 minutes ago
[-]
What was the media for updates? Send them a CD or a flashdisk and they plug it in? I assume the PVC backing etc they handle on their own?
reply
arianvanp
22 minutes ago
[-]
Yes, updates were delivered using a flash drive.

> PVC backing

Yeh. But wire's storage is based on Cassandra which handles replication of storage. So you could deploy it on local nvme drives as well using a local storage CSI.

That's also how the wire.com cloud is/was run. Large Cassandra cluster on top of EC2 Instance Store as opposed to EBS.

reply
rrr_oh_man
1 hour ago
[-]

  > first job out of college 7 years ago
  > Amazing to see it's still going strong
Yup, sounds like a government project...
reply
looperhacks
41 minutes ago
[-]
The earliest doc I can find quickly shows that the BSI already recommended Wire in 2021 (at least; couldn't find anything earlier). The actual authorization seemed to have happened some time in 2024, but it's possible that just nobody asked for the formal approval before that.

What I'm saying is - just because the BSI authorizes something, doesn't mean that it has to reach the Bundestag ;)

reply
Arathorn
1 hour ago
[-]
there is a definite irony in switching from being vendorlocked to Signal (open source but closed and locked to a US non-profit) to being vendorlocked to Wire (open source but closed and locked to a German/Swiss for-profit) - talk about jumping from the frying pan into the fire :)

Meanwhile the rest of Europe (and much of the rest of Germany) seems to have converged on Matrix as a genuine open standard with various different commercial vendors (Element, Rocket Chat, Famedly, connect2x etc), avoiding vendor lock and so giving actual digital sovereignty: https://element.io/matrix-in-europe

reply
raffael_de
2 minutes ago
[-]
i suppose that's what you get when you desire secure communication on one hand but at the same time strive for total surveillance. i'm not sure what data wire is able to provide when legally requested but at least they know where to send the letter.
reply
eembees
2 hours ago
[-]
> The Bundestag administration actively provides Wire as an alternative to commercial platforms such as WhatsApp or Signal.

Any idea why Signal is deemed a "commercial platform" by DBT administration?

reply
anthonj
1 hour ago
[-]
It's owned by an American no-prrofit with a dedicated subsidiary, so still a commercial product and (more relevant) usa-based with all the potential implications. Wire is for profit but german-swiss.
reply
mr_mitm
1 hour ago
[-]
Wire is also a commercial product though
reply
zarzavat
1 hour ago
[-]
It's a commercial entity that is within EU jurisdiction, whereas Signal is within US jurisdiction. The distinction is important if for example a hostile country were to invade the territory of an EU member state, let's say a large island...
reply
c0l0
1 hour ago
[-]
One of my most esteemed former co-workers used to say that whenever you succeed in making something idiot-proof, the universe will create a better idiot, undoing any progress you made.
reply
vidarh
46 minutes ago
[-]
I'm very curious where that saying comes from now. I haven't found anything conclusive, like [1]'s friend I thought it might have been Douglas Adams, but a few references refers to it as "Grave's Law". After a few searches, I can't find any references to that which I can date further back than '99. But variants of the saying is at least as old as '89 (Rick Cook's version in [1]), but it's the kind of thing that sounds like a sufficiently "obvious" extension of the far older view that human stupidity has no bounds that it feels surprising if it is that recent.

[1] https://www.samyoung.co.nz/2025/03/building-better-idiot.htm...

reply
episodeiv
22 minutes ago
[-]
The form I know is attributed to Douglas Adams[1]:

“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.”

[1] https://www.goodreads.com/quotes/6711-a-common-mistake-that-...

reply
dmos62
1 hour ago
[-]
Anybody care to give their take on which alternative messengers are better for everyday use? Alternative as in not owned by mega corps. Does Signal have the best UX for non-technical people or casual use? Would be nice to move some conversations over to such a messenger, but don't want to force the other parties to experiment too much.
reply
throawayonthe
1 hour ago
[-]
signal 100% has the best UX for non-technical users out of messengers i'd actually consider reasonably secure

the best on ux is probably telegram, but i'm trying to move a few people off it anyway

reply
hutattedonmyarm
33 minutes ago
[-]
I'd say that Threema has better UX than Signal, but both are fine. Neither great, but fine
reply
Mashimo
1 hour ago
[-]
I have 70+ year old relatives who use Signal. It works quite nice. Similar to whatsapp.
reply
jraph
1 hour ago
[-]
Are Wire, Signal, Telegram backed by mega corps though?
reply
dmos62
1 hour ago
[-]
I meant that as some candidates that aren't backed by mega corps.
reply
jraph
1 hour ago
[-]
Ah, okay. I see you rephrased.
reply
dmos62
1 hour ago
[-]
Yeah, sorry for omitting an edit message.
reply
jraph
9 minutes ago
[-]
No problem :-)
reply
boredishBoi
1 hour ago
[-]
Beeper is owned by Automattic (of Wordpress fame). They’re a corp but I wouldn’t call them mega and they use matrix which is an open federated protocol.

You can run your own matrix server but tbh it’s easier for someone else to do it.

Not to mention the obvious advantages of their bridges into the closed networks of WhatsApp/fb/x/instagram etc

reply
Markoff
52 minutes ago
[-]
the ones most of your contacts use, what's the point finding perfect messenger if nobody you know use it and you must move people over there and anyway keep installed other app for most of the contacts?

here you have chart comparison

https://www.messenger-matrix.de/messenger-matrix-en.html

and alternative

https://www.securemessagingapps.com

personally I like Element (Matrix) and Threema

edit: btw. signal best UX? do they finally show users how to force send unencrypted SMS or you still have figure it out with google? I remember their great UX when they were forcing PIN verification with nag screens taking half or whole screen, which was the last drop I moved with whole family away from that PoS, let alone how unreliable it was, whole network down because admin in US sleeping waiting hours until he fix it, their approach (aka hatred) to users reminds me Firefox devs, left Signal even before it became popular

reply
fsflover
1 hour ago
[-]
https://matrix.org
reply
looperhacks
24 minutes ago
[-]
Now, I'm pretty confident to say that this is obviously just a red herring to distract from the fact that Frau Klöckner simply fell for a phishing attack. The usage of Signal wasn't the real problem (besides that it isn't formally approved for comms).

But since this whole ordeal started, I'm divided where to place the blame (besides the attacker, of course):

- Can we really victim-blame someone for falling for an attack? Sure, people in positions this important should know better, but I don't think we should put the blame on the victim. - Should we blame Signal for even providing the functionality that allowed the phishing in the first place? Signal announced changes that supposedly makes phishing harder, so apparently, something could've been improved before? - Should we blame the software-world entirely that having credentials that can be shared is even a thing? (Looking at passkeys) - Should we blame society that the knowledge about phishing attacks isn't ingrained into every person? (being a bit hyperbolic here) - Should we blame the administrative staff that allowed exposed politicians to even have apps that make phishing possible? It would be possible to make a super-secure messenger that needs much more verification than just "having the credentials". It's just super annoying and impractical for most people. Should we prevent exposed politicians from even having access to not super-secure messengers?

I feel like things could be improved to prevent phishing attacks in the future. I just don't know what is the most sensible point to start.

reply
Havoc
57 minutes ago
[-]
> often, the technology is not the weak point, but the human.

Also doesn’t help that the humans doing the legislating tend to be of the “I print out my emails” generation

reply
tirpen
21 minutes ago
[-]
That's not nearly as big a problem in Germany as the US.

The median age of Bundestag members is 45.4

https://data.ipu.org/parliament/DE/DE-LC01/

In the US Senate It's 63.9.

https://data.ipu.org/parliament/US/US-UC01/

reply
internet_points
2 hours ago
[-]
Wire seems fine, better than many alternatives, but ditching Signal because of the possibility for phishing seems very odd?
reply
beeforpork
1 hour ago
[-]
Odd? No, it's normal politician behaviour. Julia Klöckner herself got hacked because she is not aware of phishing. To distract from her incompetence, she urges to switch to Wire to implicitly blame Signal. It's obvious what's going on, but people have so little knowledge about digital communication and security that she will get away with it. Poor woman got hacked by insecure Signal, people will remember.
reply
iugtmkbdfil834
1 hour ago
[-]
As an argument, it barely passes initial scrutiny suggesting the real reason is not that.
reply
Grumbledour
1 hour ago
[-]
The bundestags president, Julia Klöckner, was recently a victim of phishing on signal. While there could be different motives behind her suggestion, I think they are just another facet of her not really understanding technology and security practices.

She thinks she was "hacked" on signal, and now wants to switch to something which is clearly better! Let's wait where she will want to go once she gets "hacked" there too...

While there are valid reasons for germans not to want their politicians to use private messenger apps on their private phones for official business, and american ones at that, this switch would of course change nothing about all of these problems. But at least they can claim they did something, right?

reply
iugtmkbdfil834
44 minutes ago
[-]
<< While there are valid reasons for germans not to want their politicians to use private messenger apps on their private phones for official business, and american ones at that,

Personally, I am starting to think we should ban politicians from using smartphones altogether possibly followed by other technological restrictions. It is part of my: "They Will Hate it: Good" portfolio of ideas to improve the world or at least make it a little more funny.

reply
tosti
1 hour ago
[-]
My tin foil hat says it has something to do with chat control, i.e. being able to intercept messages or to siphon messages from Alice or Bob directly.
reply
internet_points
59 minutes ago
[-]
She's suggesting her own group of contacts should switch to something that makes it easier to intercept her own messages?
reply
rrr_oh_man
1 hour ago
[-]
Ding ding ding
reply
delis-thumbs-7e
1 hour ago
[-]
This site seems to demand cookie consent for access (is that legal in EU anyway?) so can somepne provode tl;dr?
reply
victorbjorklund
1 hour ago
[-]
It is a grey zone. Some of the data protection authorities in EU have said that it's okay to do pay or consent while others have said it's not okay and it hasn't been tested by the EU court yet.
reply
Grumbledour
1 hour ago
[-]
I think the law is actually pretty clear on that front, that it is not ok, but in the meantime, all the big publishers do it and make so much money, they actually don't care much about fines, especially given the chance they might get levied against a competitor first, at which point they can quickly change that behaviour.

As so often, the biggest GDPR problem is missing enforcement.

reply
solarkraft
57 minutes ago
[-]
It’s called “pay or okay” and condemned by noyb: https://noyb.eu/en/noybs-pay-or-okay-report-how-companies-ma...

But actual enforcement of GDPR has always been shoddy. First the “legitimate use” loophole, now this.

It’s a bit ironic that heise does this, since they probably have one of the most sensitive readerships to this.

reply
fmajid
38 minutes ago
[-]
The EU Data Protection Board, which unlike noyb is an official part of the EU, albeit not from the judicial branch, has also come out against pay-or-consent.
reply
crimsoneer
1 hour ago
[-]
This seems silly. Signal is great, let's not all start spinning up our own dedicated, not interoperable national messenger applications.
reply
dmos62
1 hour ago
[-]
Europe wants to use European infrastructure. Reasons given are politeness.
reply
PeterSmit
1 hour ago
[-]
Which makes total sense given the current political situation.
reply
Grumbledour
1 hour ago
[-]
The problem though is, using undocummented communication channels on private phones by people not technically inclined. That Signal is an american company and subject to NSA scrutiny while the users a politicians of a foreign goverment only makes this worse.

So, national messengers, controlled by experts, that archive communication and run on trusted hardware, would be the best solution for the work of democratic goverments I would think.

Of course, the possibility of software quality and security experts in service of the goverment is probably just wishful thinking.

reply
otabdeveloper4
1 hour ago
[-]
Kumbaya?

Good idea, let's all live in peace and harmony. (But first we need to sanction and regime change all the bad countries.)

reply